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DETAILED ACTION 
Response to Amendment 

1. The Applicants' amendment, filed 4 August 2005, has been received, entered into the record, 
and considered. 

2. As a result of the amendment, claims 1, 3, 6-8, 11, 12, 16 and 18 have been amended. 
Claims 1-20 remain pending in the application. 

The Invention 

3. The claimed invention is an apparatus for and method of using an Internet terminal coupled 
to the World Wide Web to access an existing proprietary database management system, wherein said 
accessing does not require the transmission of a user identifier across the Internet, thereby 
enhancing security. Sign in information from a user (such as a user id and password) is processed 
only at the Internet terminal, and only a special field indicative of the site specific user validation 
data is transmitted over the Internet as part of the service request. 

Specification 

4. Applicant has incorporated by reference numerous co-pending applications at various points 
in the specification. Examiner notes that incorporation by reference of an application in a printed 
United States Patent constitutes a special circumstance under 35 U.S.C. § 122 warranting that access 
of the original disclosure of the application be granted. The incorporation by reference will be 
interpreted as a waiver of confidentiality of only the original disclosure as filed, and not the entire 
application file. See In n Gallo, 231 USPQ 496 (Comm'r Pat. 1986). 
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If Applicant objects to access to the entire application file(s), two copies of the information 
incorporated by reference must be submitted along with the objection. Failure to provide the 
material within the period provided will result in the entire application(s) (including prosecution) 
being made available to petitioner. The Office will not attempt to separate the noted materials from 
the remainder of the application. See In re Marsh Engineering Co,, 1913 CD. 183 (Comm'r Pat. 1913). 

Claim Rejections - 35 USC § 112 

5. In view of the amendments to the claims, the examiner withdraws the rejection of claims 3- 

5. 8-10, 12-15 and 18-20 under 35 U.S.C. § 112, first paragraph. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 
102 of this tide, if the differences between the subject matter sought to be patented and the prior art are such that the 
subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not: be negatived by the manner in which the 
invention was made. 

7. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), 
that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) 
are summarized as follows: 

1. Determining the scope and contents of the prior art. 

2. Ascertaining the differences between the prior art and the claims at issue. 

3. Resolving the level of ordinary skill in the pertinent art. 

4. Considering objective evidence present in the application indicating obviousness or 
nonobviousness. 
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8. This application currently names joint inventors. In considering patentability of the claims 
under 35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was 
commonly owned at the time any inventions covered therein were made absent any evidence to the 
contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and 
invention dates of each claim that was not commonly owned at the time a later invention was made 
in order for the examiner to consider the applicability of 35 U.S.C. 103(c) and potential 35 

U.S.C. 102(e), (f) or (g) prior art under 35 U.S.C. 103(a). 

9. Claims 1-4, 6-8, 11-14 and 16-18 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Garrison (U.S. Patent 6,275,939) in view of De Capitani di Vimercati et al. ("Access Control 
in Federated Systems") in view of Steele et al. (U.S. Patent 6,282,175). 

10. Regarding claim 1, Garrison teaches a data processing environment having a user with a 
user identifier which uniquely identifies said user at a terminal at a. particular site and wherein said 
user utilizes said terminal to generate a particular one of a plurality of service requests requesting 
access to secure data responsively coupled via a publicly accessible digital data communication 
network to a database management system having at least one database > containing said secure data 
as claimed, comprising a security profile whereby said database management system permits said 
terminal to access said at least one database (see col. 4, lines 1-32; see also col. 6, line 60 through col. 
7, line 32; see also col. 7, line 50 through col. 8, line 37). 
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Garrison does not explicitly teach a data processing environment wherein the user accesses 
the database by transferring a second user identifier which uniquely identifies a particular site 
without transfer of said user identifier via said publicly accessible digital data communication 
network, nor including an administration module located within said database management system 
for permitting a manager having authority to access said administration module to associate a 
particular security level with each of said plurality of service requests. 

De Capitani di Vimercati et al., however, teaches a data processing environment wherein 
the user accesses the database by transferring a second user identifier which uniquely identifies a 
particular site without transfer of said user identifier via said publicly accessible digital data 
communication network (see page 88, col. 2, last paragraph; see also Table 1; see also section 3.2 
Authentication, beginning on page 94, all of which teach a mechanism whereby all users accessing a 
database from a particular site are granted access), 

and furthermore including an administration module located within said database 
management system for permitting a manager having authority to access said administration module 
to associate a particular security level with each of said plurality of service requests (see extensive 
discussion of the administration of authorizations, sections 2.3 Administration of Authorizations , 
page 90, and 2.4 Authorization Specification , page 91, and particularly the following disclosures: 
"The federation administrator specifies authorizations to access the federated objects and the access 
control decision is taken only with respect to these authorizations", page 90, col. 2, last paragraph; 
" . . .access control decisions are taken only with respect to authorizations specified by the local 
administrator", page 90, col. 2, last sentence, continuing onto page 91; "The federated administrator 
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specifies global authorizations to access the federated data [and t]he local administrator specifies 
authorizations to access the local objects", page 91, col. 1, second paragraph under section 2.4). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the references, since they are all concerned with the same field of endeavor, that is, 
remotely accessing databases (see Garrison, Abstract; see also De Capitani di Vimercati et aL, 
Abstract). 

It would have been furthermore obvious to one of ordinary skill in the art at the time of the 
invention to provide an authentication mechanism whereby the user identifier need not be 
transmitted via a publicly accessible digital communication network (i.e., global authentication), since 
the alternative would be to impose local authentication, wherein users are required to re-authenticate 
themselves at each local site, which may make the access control process very heavy (see De 
Capitani di Vimercati et aL, page 89, col 2, last paragraph through page 90, col. 1, first 
paragraph). 

Finally, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to provide a mechanism to allow an administrator to configure the requirements for 
authorization to specific objects in the database by system users, since without such a mechanism all 
objects would necessarily have the same level of access, there beihg no mechanism to change said 
level of access. I 

Neither Garrison nor De Capitani di Vimercati et aL explicitly teaches a data processing 
environment wherein said service request is honored by executing a sequence of command language 
scripts having an associated security profile. 
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Steele et al., however, teaches a data processing environment wherein a service request is 
honored by executing a sequence of command language scripts having an associated security profile 
(see col 4, line 57 through col. 5, line 4; see also col. 7, lines 33-56). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
satisfy service requests through the execution of command language scripts having an associated 
security profile, since upon receipt of the service request the request can be satisfied merely by 
executing the corresponding predefined command language script (see Steele et al., col. 7, lines 33- 
56), without the necessity to first translate the request into a valid SQL command and then submit 
the SQL command to the database (as is the case in Garrison, col. 8, lines 9-19). 

11. Regarding claim 6, Garrison teaches an apparatus as claimed, comprising: 

a) a terminal located at a particular location (see col. 4, lines 1-32) having a user with a user 

identifier which identifies said user (see col. 6, line 60 through col. 7, line 13) and 
generates a particular one of a plurality of service requests (see col. 7, lines 25-32); 

b) a database management system having access to a database responsively coupled to said 

user terminal via a publicly accessible digital data communication network (see col. 4, 
lines 1-32) and honors said particular one of said plurality of service requests (see col. 
7, lines 50-67); and 
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c) a security profile generated by said database management system whereby said database 
management system provides access to a particular secure portion of said database 
corresponding to said security profile (see col. 7, line 50 through col. 8, line 37). 

Garrison does not explicitly teach an apparatus wherein the user accesses the database by 
transferring a second user identifier which uniquely identifies a particular site without transfer of said 
user identifier via said publicly accessible digital data communication network, nor including an 
administration module located within said database management system for permitting a manager 
having authority to access said administration module to associate a particular security level with 
each of said plurality of service requests. 

De Capitani di Vimercati et aL, however, teaches an apparatus wherein the user accesses 
the database by transferring a second user identifier which uniquely identifies a particular site 
without transfer of said user identifier via said publicly accessible; digital data communication 
network (see page 88, col. 2, last paragraph; see also Table 1; see also section 3.2 Authentication, 
beginning on page 94, all of which teach a mechanism whereby all users accessing a database from a 
particular site are granted access), - f \ 

and furthermore including an administration module located within said database 
management system for permitting a manager having authority to access said administration module 
to associate a particular security level with each of said plurality of service requests (see extensive 
discussion of the administration of authorizations, sections 2.3 Administration of Authorizations , 
page 90, and 2.4 Authorization Specification , page 91, and particularly the following disclosures: 
"The federation administrator specifies authorizations to access the federated objects and the access 
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control decision is taken only with respect to these authorizations", page 90, col. 2, last paragraph; 
". . .access control decisions are taken only with respect to authorizations specified by the local 
administrator", page 90, col. 2, last sentence, continuing onto page 91; "The federated administrator 
specifies global authorizations to access the federated data [and t]he local administrator specifies 
authorizations to access the local objects", page 91, col. 1, second paragraph under section 2.4). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the references, since they are all concerned with the same field of endeavor, that is, 
remotely accessing databases (see Garrison, Abstract; see also De Capitani di Vimercati et al., 
Abstract). 

It would have been furthermore obvious to one of ordinary skill in the art at the time of the 
invention to provide an authentication mechanism whereby the user identifier need not be 
transmitted via a publicly accessible digital communication network (i.e., global authentication), since 
the alternative would be to impose local authentication, wherein users are required to re-authenticate 
themselves at each local site, which may make the access control process very heavy (see De 
Capitani di Vimercati et al., page 89, col. 2, last paragraph through page 90, col. 1, first 
paragraph). 

Finally, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to provide a mechanism to allow an administrator to configure the requirements for 
authorization to specific objects in the database by system users, since without such a mechanism all 
objects would necessarily have the same level of access, there being no mechanism to change said 
level of access. ' 
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Neither Garrison nor De Capitani di Vimercati et al. explicitly teaches an apparatus 
wherein said service request is honored by executing a sequence of command language scripts 
having an associated security profile. 

Steele et aL, however, teaches an apparatus wherein a service request is honored by 
executing a sequence of command language scripts having an associated security profile (see col. 4, 
line 57 through col. 5, line 4; see also col. 7, lines 33-56). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
satisfy service requests through the execution of command language scripts having an associated 
security profile, since upon receipt of the service request the request can be satisfied merely by 
executing the corresponding predefined command language script (see Steele et al., col. 7, lines 33- 
56), without the necessity to first translate the request into a valid SQL command and then submit 
the SQL command to the database (as is the case in Garrison, col. 8, lines 9-19). 

12. Regarding claim 11, Garrison teaches a method of utilizing a user terminal having a first 
identifier and a user with a user identifier located at a site to securely access a remote database 
management system having a database via a publicly accessible digital data communication network 
as claimed, comprising: 

a) signing on to said terminal by said user utilizing said user identifier (see col. 2, line 64 
through col. 3, line 2, disclosing that the client transmits a password to the client to 
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identify the user of the client system, meaning that the user has necessarily signed on 
to the client system utilizing a user identifier); 

b) transmitting a service request requiring secure access to said database from said terminal 

(see col. 6, line 60 through col. 7, line 32; see also col. 7, line 50 through col. 8, line 
37); 

c) receiving said service request by said remote database management system (see col. 6, line 

60 through col. 7, line 32; see also col. 7, line 50 through col. 8, line 37); 

d) determining a security profile (see col. 6, line 60 through col. 7, line 32; see also col. 7, line 

50 through col. 8, line 37); 

e) comparing said security profile with said first identifier' (see col. 6, line 60 through col. 7, 

line 32; see also col. 7, line 50 through col. 8 ? line 37); and 

f) honoring said service request if and only if said first identifier corresponds to said security 

profile (see col 6, line 60 through col. 7, line 32; see also col. 7, line 50 through col. 8, 
line 37). ; 

Garrison does not explicitly teach a method wherein the user accesses the database without 
transfer of said user identifier via said publicly accessible digital data communication network, nor 
including an administration module located within said database management system for permitting 
a manager having authority to access said administration module to associate a particular security 
level with each of said plurality of service requests. 

De Capitani di Vimercati et al., however, teaches a method wherein the user accesses the 
database without transfer of said user identifier via said publicly accessible digital data 
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communication network (see page 88, col. 2, last paragraph; see also Table 1; see also section 3.2 
Authentication, beginning on page 94, all of which teach a mechanism whereby all users accessing a 
database from a particular site are granted access), 

including the transmission of a request of a first identifier from said user terminal (see 
disclosure on page 89, col. 2, last paragraph, that "Upon reception of the requests by the federation, 

and furthermore including an administration module located within said database 
management system for permitting a manager having authority to access said administration module 
to associate a particular security level with each of said plurality of service requests (see extensive 
discussion of the administration of authorizations, sections 2.3 Administration of Authorizations , 
page 90, and 2.4 Authorization Specification , page 91, and particularly the following disclosures: 
"The federation administrator specifies authorizations to access the federated objects and the access 
control decision is taken only with respect to these authorizations", page 90, col. 2, last paragraph; 
". . .access control decisions are taken only with respect to authorizations specified by the local 
administrator", page 90, col. 2, last sentence, continuing onto page 91; "The federated administrator 
specifies global authorizations to access the federated data [and t]he local administrator specifies 
authorizations to access the local objects", page 91, col. 1, second paragraph under section 2.4). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the references, since they are all concerned with the same field of endeavor, that is, 
remotely accessing databases (see Garrison, Abstract; see also De Capitani di Vimercati et al., 
Abstract). ■ 

It would have been furthermore obvious to one of ordinary skill in the art at the time of the 
invention to provide an authentication mechanism whereby the user identifier need not be 
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transmitted via a publicly accessible digital communication network (i.e., global authentication), since 
the alternative would be to impose local authentication, wherein users are required to re-authenticate 
themselves at each local site, which may make the access control process very heavy (see De 
Capitani di Vimercati et aL, page 89, col. 2, last paragraph through page 90, col. 1, first 
paragraph). 

Finally, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to provide a mechanism to allow an administrator to configure the requirements for 
authorization to specific objects in the database by system users, since without such a mechanism all 
objects would necessarily have the same level of access, there being no mechanism to change said 
level of access. 

De Capitani di Vimercati et al. additionally teaches alternative authentication wherein a 
request is transmitted to the database without any identifier, necessitating the database subsequently 
transmitting a request for an identifier to be used for authentication (see page 89, last paragraph). 

Given the teaching of a system wherein authentication information is transmitted together 
with a database request, it would have been an obvious variant to transmit the authentication 
information and database request separately, since this would conserve bandwidth in cases where 
some database requests could be serviced without authentication. 

Neither Garrison nor De Capitani di Vimercati et al. explicitly teaches a method wherein 
said service request is honored by executing a sequence of command language scripts having an 
associated security profile. 
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Steele et al., however, teaches a method wherein a service request is honored by executing a 
sequence of command language scripts having an associated security profile (see col. 4, line 57 
through col. 5, line 4; see also col. 7, lines 33-56). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
satisfy service requests through the execution of command language scripts having an associated 
security profile, since upon receipt of the service request the request can be satisfied merely by 
executing the corresponding predefined command language script (see Steele et al., col. 7, lines 33- 
56), without the necessity to first translate the request into a valid SQL command and then submit 
the SQL command to the database (as is the case in Garrison, col 8, lines 9-19). 

13. Regarding claim 16, Garrison teaches an apparatus as claimed, comprising: 

a) permitting means located at a site having a first identifier for permitting a user having a 

user identifier to interact with a database responsively coupled via a publicly accessible 
digital data communication network (see col. 4, lines 1-32); 

b) means responsively coupled to said permitting means via said publicly accessible digital 

data communication network for offering data processing services involving access to 
said database in response to said service request (see col. 6, line 60 through col. 7, line 
32; see also col. 7, line 50 through col 8, line 37); and 

c) means responsively coupled to said offering means for preventing said offering means 

from offering said data processing services to said user in response to said service 
request unless said site corresponds to a security profile wherein said security profile 
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permits access to said database (see col. 6, line 60 through col. 7, line 32; see also col. 
7, line 50 through col. 8, line 37), wherein the existence of the security profile renders 
the claimed administration module inherent, since the only claimed functionality if the 
administration module is to maintain the security profile, and the reference teaches the 
maintenance of a security profile at col. 7, lines 50-67 and col. 10, lines 5-17. 

Garrison does not explicidy teach an apparatus wherein the user accesses the database 
without transfer of said user identifier via said publicly accessible; digital data communication 
network, nor including an administration module located within said database management system 
for permitting a manager having authority to access said administration module to associate a 
particular security level with each of said plurality of service requests. 

De Capitani di Vimercati et al., however, teaches an apparatus wherein the user accesses 
the database without transfer of said user identifier via said publicly accessible digital data 
communication network (see page 88, col. 2, last paragraph; see also Table 1; see also section 3.2 
Authentication, beginning on page 94, all of which teach a mechanism whereby all users accessing a 
database from a particular site are granted access), ■/ 

and furthermore including a means for permitting a manager having authority to access said 
administration module to associate a particular security level with; each of said plurality of service 
requests (see extensive discussion of the administration of authorizations, sections 2.3 
Administration of Authorizations, page 90, and 2.4 Authorization Specification , page 91, and 
particularly the following disclosures: "The federation administrator specifies authorizations to 
access the federated objects and the access control decision is taken only with respect to these 
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authorizations", page 90, col. 2, last paragraph; . .access control decisions are taken only with 
respect to authorizations specified by the local administrator", page 90, col. 2, last sentence, 
continuing onto page 91; "The federated administrator specifies global authorizations to access the 
federated data [and t]he local administrator specifies authorizations to access the local objects", page 
91, col. 1, second paragraph under section 2.4). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the references, since they are all concerned with the same field of endeavor, that is, 
remotely accessing databases (see Garrison, Abstract; see also De Capitani di Vimercati et al., 
Abstract). 

It would have been furthermore obvious to one of ordinary skill in the art at the time of the 
invention to provide an authentication mechanism whereby the user identifier need not be 
transmitted via a publicly accessible digital communication network (i.e., global authentication), since 
the alternative would be to impose local authentication, wherein users are required to re-authenticate 
themselves at each local site, which may make the access control process very heavy (see De 
Capitani di Vimercati et al., page 89, col. 2, last paragraph through page 90, col. 1, first 
paragraph). 

Finally, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to provide a mechanism to allow an administrator to configure the requirements for 

authorization to specific objects in the database by system users, since without such a mechanism all 

t 

objects would necessarily have the same level of access, there being no mechanism to change said 
level of access. ; 
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Neither Garrison nor De Capitani di Vimercati et al. explicitly teaches an apparatus 
wherein said service request is honored by executing a sequence of command language scripts 
having an associated security profile. 

Steele et al., however, teaches an apparatus wherein a service request is honored by 
executing a sequence of command language scripts having an associated security profile (see col. 4, 
line 57 through col. 5, line 4; see also col 7, lines 33-56). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
satisfy service requests through the execution of command language scripts having an associated 
security profile, since upon receipt of the service request the request can be satisfied merely by 
executing the corresponding predefined command language script (see Steele et al., col. 7, lines 33- 
56), without the necessity to first translate the request into a valid SQL command and then submit 
the SQL command to the database (as is the case in Garrison, col. 8, lines 9-19). 

14. Regarding claims 2 and 13, De Capitani di Vimercati et al. additionally teaches a data 
processing environment wherein a security profile is generated by said data management system (see 
sections 2.3 Administration of Authorizations, page 90, and 2.4 Authorizations Specification , page 
91, disclosing the specification by the federation administrator of authorizations to access federated 
data, and particularly the following disclosures: "The federation administrator specifies 
authorizations to access the federated objects and the access control decision is taken only with 
respect to these authorizations", page 90, col. 2, last paragraph; . .access control decisions are taken 
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only with respect to authorizations specified by the local administrator", page 90, col. 2, last 
sentence, continuing onto page 91; "The federated administrator specifies global authorizations to 
access the federated data [and t]he local administrator specifies authorizations to access the local 
objects", page 91, col. 1, second paragraph under section 2.4; see also disclosure that "Federated 
systems represent one of the new emerging technology for distributed database management and 
organization", under section 5 Conclusion, page 95). 

15. Regarding claims 3, 8, 12 and 18, De Capitani di Vimercati et al. additionally teaches an 
improvement, method and apparatus further comprising a portion of a user identifier whereby said 
database management system receives an identifier corresponding to said particular site (see page 88, 
col. 2, last paragraph; see also Table 1; see also section 3.2 Authentication, beginning on page 94, all 
of which teach a mechanism whereby all users accessing a database from a particular site are granted 
access through the use of an identifier corresponding to the site, and not an identifier corresponding 
to the user). 

16. Regarding claims 4, 14 and 17, Garrison additionally teaches an improvement, method and 
apparatus wherein said publicly accessible digital data communication network further comprises the 
Internet (see col. 4, lines 1-32). 

17. Regarding claim 7, Garrison additionally teaches an apparatus wherein said terminal accesses 
said data entity by transferring said one of a plurality of service requests to said system (see col. 6, 
line 60 through col. 7, line 32; see also col. 7, line 50 through col. 8, line 37). 
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18. Claims 5, 9, 10, 15, 19 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Garrison (U.S. Patent 6,275,939) in view of De Capitani di Vimercati et al. ("Access Control in 
Federated Systems") in view of Steele et al. (U.S. Patent 6,282,175) as applied to claims 1-4, 6-8, 11- 
14 and 16-18 above, and further in view of Unisys ("UNISYS CSG Marketplace - The Mapper 
System"). 

19. Regarding claims 5 and 19, Garrison, De Capitani di Vimercati et al. and Steele et al. 

teach an improvement to a data processing environment, method and apparatus substantially as 
claimed. 

None of Garrison, De Capitani di Vimercati et al. nor Steele et al. explicitly teaches the 
improvement, method and apparatus wherein said database management system is a legacy database 
management system. 

However, Unisys teaches the database management system MAPPER, constituting a legacy 
database management system (see entire document). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
use MAPPER as the database management system, since MAPPER contains many key features that 
make its use advantageous for users (see Unisys, key features under MAPPER Overview , page 3). 
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20. Regarding claims 9 and 15, Garrison, De Capitani di Vimercati et al. and Steele et al. 

teach an improvement to a data processing environment, method and apparatus substantially as 
claimed. 

None of Garrison, De Capitani di Vimercati et al. nor Steele et al. explicitly teaches the 
improvement, method and apparatus wherein said database management system is MAPPER. 

However, Unisys teaches the database management system MAPPER (see entire 
document). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
use MAPPER as the database management system, since MAPPER contains many key features that 
make its use advantageous for users (see Unisys, key features under MAPPER Overview , page 3). 

21. Regarding claim 10, Garrison additionally teaches an apparatus wherein said publicly 
accessible digital data communication network further comprises the World Wide Web (see col. 4, 
lines 1-32). 

22. Regarding claim 20, Garrison additionally teaches an apparatus wherein said permitting 
means further comprises an industry standard personal computer (see col. 4, lines 1-60). 
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Response to Arguments 

23. Applicant's arguments filed 4 August 2005 have been fully considered but they are not 
persuasive. 

24. Regarding the Applicants' argument that the amendments to the claims properly addresses 
the pending claim rejections under 35 U.S.C.§ 112, the examiner finds these arguments persuasive. 
The examiner has withdrawn the pending claim rejections under 35 U.S.C. § 112. 

25. Regarding the Applicants' argument that the newly added claim limitation (having a manager 
select the appropriate security level for a given service request), the examiner has added rejections to 
these limitations based on the disclosure of the De Capitani di Vimercati et al. reference. 

26. Regarding the Applicants' argument that the disclosure that "the alternative would be to 
impose local authentication, wherein users are required to re-authenticate themselves at each local 
site. . ." is not found anywhere in the reference, the examiner respectfully apologizes for misstating 
the location of the disclosure. Instead of the cited pages 87-88, the correct location of this 
disclosure is pages 89-90. The typographical error has been corrected in this Office action. 

Furthermore, regarding the Applicants' argument that the claimed invention uses local 
authentication, the examiner respectfully disagrees. The De Capitani di Vimercati et al. reference 
clearly teaches on page 90, first paragraph, that "If local authentication is to be applied, the user will 
have to type in login and password information for each site involved in the transaction.". In the 
second paragraph, the reference teaches that "In the global authentication, users are not required to 
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authenticate themselves at each local site. Their identity (and/or other information needed for 
access control) is passed to the site by the federation together with the request" 

In other words, local authentication requires explicit submission by the user (not the user 
terminal) of id/password information, wherein global authentication passes that information 
automatically without intervention on the part of the user. 

27. Regarding the Applicants' argument that there is no reasonable expectation for success in the 
combination of the references, the examiner respectfully disagrees. 

As stated in the previous Office action, in the field of computer programming, success is 
assured in the incorporation of a feature into a piece of software. . Unlike the chemical or mechanical 
arts where a given combination of chemicals or design of a part may not achieve the desired results, 
given a competent software engineer and programmer, any desired functionality can be implemented 
in any given software application. 

Thus, an ordinary artisan can reasonably be expected to successfully incorporate a feature 
from one software product into another software product : 

The Applicants seem to interpret the combination of software features as a matter of 
installing two software packages on the same computer and expecting them to work together. Such 
an interpretation is clearly erroneous. The incorporation of features of one software product into 
another software product would involve a software engineer designing and implementing the 
features as software enhancements. Any competent software engineer (or team of software 
engineers) can reasonably be expected to successfully implement enhancements to software. 
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28. Regarding the Applicants' argument that the Garrison reference fails to teach a security 
profile generated by the database management system, the examiner finds this argument persuasive. 

However, upon further consideration, and in view of the newly added limitations defining 
the administration module and its functionality, the examiner has rejected the relevant claims under 
new grounds (supra). 

29. Regarding the Applicants' argument that the Garrison reference fails to teach the site 
specific user-id, the examiner finds these arguments persuasive. 

The previously presented rejections were meant to relate the fact that the Garrison reference 
teaches the transmission of an identifier to the database management system, the fact that the 
identifier corresponded to a site and not a user having already been addressed in the rejections of the 
corresponding independent claims as having been taught by the De Capitani di Vimercati et al. 
reference. 

However, the Applicants' arguments are well taken. The previous rejection of these claims 
was not stated as clearly as was possible. As a result, the rejections have been restated, and the prior 
art cited is now the more explicit disclosure found in the De Capitani di Vimercati et al. 
reference. 

30. Regarding the Applicants' argument that the prior art of record fails to teach 'service 

requests', the examiner respectfully responds that any request made to a database, and requiring said 

( 

database to perform some action (or service) in order to satisfy said request, would clearly qualify as 
a 'service request'. Any database management system will necessarily execute a series of system 
commands in servicing a database request issued by a client. 
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31. Regarding the Applicants' argument that there would be no motivation nor expectation of 
success in combining the Unisys reference with the other cited references, the examiner respectfully 
disagrees. 

Both the Garrison reference and the De Capitani di Vimercati et al. reference teaches a 
system wherein access to data within a database is restricted. Database management software is 
necessary to interact with a database. The choice of a specific database manager would be based 
upon the features of different database management systems. 

The Unisys reference provides details of features that would make its use as a database 
management system, advantageous, and provides ample motivation for one of ordinary skill in the art 
to utilize MAPPER as the database manager in a system. 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Luke S. Wassum whose telephone number is 571-272-4119. The examiner can 
normally be reached on Monday- Friday 8:30-5:30, alternate Fridays off. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
John E. Breene can be reached on 571-272-4107. The fax phone number for the organization 
where this application or proceeding is assigned is 571-273-8300. : 

In addition, INFORMAL or DRAFT communications may be faxed directly to the examiner 
at 571-273-4119. Such communications must be clearly marked as INFORMAL, DRAFT or 
UNOFFICIAL. 

Customer Service for Tech Center 2100 can be reached during regular business hours at 
(571) 272-2100, or fax (571) 273-2100. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, 
contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




Luke S. Wassum 
Primary Examiner 
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